Communicating with an entity inside a private network using an existing connection to initiate communication

ABSTRACT

A system is disclosed that allows an entity outside of a private network to initiate communication with another entity inside the private network. A first entity inside the private network maintains a persistent connection with a second entity outside the private network, with a port identification associated with the first entity&#39;s persistent connection. A third entity outside the private network obtains the port identification and initiates communication with the first entity by sending a message to the first entity using the port identification. The first and third entities then exchange communications outside the persistent connection. In an alternate implementation, the third entity uses the port identification to send the first entity a request for establishing a connection. The request is forwarded to the first entity through the persistent connection. The first entity responds by establishing a connection with the third entity outside the persistent connection.

CROSS REFERENCE TO RELATED APPLICATIONS

[0001] This application is related to the followingPatents/Applications:

[0002] DOMAIN NAME ROUTING, Hasan S. Alkhatib, U.S. Pat. No. 6,119,171;

[0003] IPNET GATEWAY, Hasan S. Alkhatib and Bruce C. Wootton, U.S.application Ser. No. 09/167,709, filed on Oct. 6, 1998;

[0004] PSEUDO ADDRESSING, Bruce C. Wootton, et al., U.S. applicationSer. No. 09/637,803, filed on Aug. 11, 2000; and

[0005] ACCESSING AN ENTITY INSIDE A PRIVATE NETWORK, Hasan S. Alkhatib,Yun Fei Zhang, Fouad A. Tobagi and Farid F. Elwailly, U.S. applicationSer. No. ______, filed the same day as the present application withAttorney Docket No. TTCC-01012US0.

[0006] Each of the related Patents/Applications are incorporated hereinby reference.

BACKGROUND OF THE INVENTION

[0007] 1. Field of the Invention

[0008] The present invention is directed to a system for accessing anentity inside a private network.

[0009] 2. Description of the Related Art

[0010] Most machines on the Internet use the TCP/IP (TransmissionControl Protocol/Internet Protocol) reference model to send data toother machines on the Internet. The TCP/IP reference model includes fourlayers: the physical and data link layer, the network layer, thetransport layer, and the application layer. The physical layer portionof the physical and data link layer is concerned with transmitting rawbits over a communication channel. The data link portion of the Physicaland Data Link layer takes the raw transmission facility and transformsit into a line that appears to be relatively free of transmissionerrors. It accomplishes this task by having the sender break the inputdata up into frames, transmit the frames and process the acknowledgmentframes sent back by the receiver.

[0011] The network layer permits a host to inject packets into a networkand have them travel independently to the destination. On the Internet,the protocol used for the network layer is the Internet Protocol (IP).

[0012] The transport layer is designed to allow peer entities on thesource and destination to carry on a “conversation.” On the Internet,two protocols are used. The first one, the Transmission Control Protocol(TCP), is a reliable connection-oriented protocol that allows a bytestream originating on one machine to be delivered without error toanother machine on the Internet. It fragments the incoming byte streaminto discrete packets and passes each one to the network layer. At thedestination, the receiving TCP process reassembles the received packetsinto the output stream. TCP also handles flow control to make sure afast sender cannot swamp a slow receiver with more packets than it canhandle. The second protocol used in the transport layer on the Internetis the User Datagram Protocol (UDP), which does not provide the TCPsequencing or flow control. UDP is typically used for one-shot, clientserver type requests-reply queries for applications in which promptdelivery is more important than accurate delivery.

[0013] The transport layer is typically thought of as being above thenetwork layer to indicate that the network layer provides a service tothe transport layer. Similarly, the transport layer is typically thoughtof as being below the application layer to indicate that the transportlayer provides a service to the application layer.

[0014] The application layer contains the high level protocols, forexample, Telnet, File Transfer Protocol (FTP), Electronic Mail—SimpleMail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP).

[0015] To transmit data from a source to a destination, the InternetProtocol uses an IP address. An IP address is four bytes long, andconsists of a network number and a host number. When written out, IPaddresses are specified as four numbers separated by dots (e.g.198.68.70.1). Users and software applications do not always refer tohosts or other resources by their numerical IP address. Instead of usingnumbers, they use ASCII strings called domain names. The Internet uses aDomain Name System (DNS) to convert a domain name to an IP address.

[0016] The Internet Protocol has been in use for over two decades. Ithas worked extremely well, as demonstrated by the exponential growth ofthe Internet. Unfortunately, the Internet is rapidly becoming a victimof its own popularity: it is running out of addresses.

[0017] One proposed solution to the depleting address problem is NetworkAddress Translation (NAT). This concept includes predefining a number ofnetwork addresses to be private addresses. The remainder of theaddresses are considered global or public addresses. Public addressesare unique addresses that should only be used by one entity havingaccess to the Internet. That is, no two entities on the Internet shouldhave the same public address. Private addresses are not unique and aretypically used for entities not having direct access to the Internet.Private addresses can be used by more than one organization or network.NAT assumes that all of the machines on a network will not need toaccess the Internet at all times. Therefore, there is no need for eachmachine to have a public address. A local network can function with asmall number of one or more public addresses assigned to one or moregateway computers. The remainder of the machines on the network will beassigned private addresses. Since entities on the network have privateaddresses, the network is considered to be a private network.

[0018] When a particular machine having a private address on the privatenetwork attempts to initiate a communication to a machine outside of theprivate network (e.g. via the Internet), the gateway machine willintercept the communication, change the source machine's private addressto a public address and set up a table for translation between publicaddresses and private addresses. The table can contain the destinationaddress, port numbers, sequencing information, byte counts and internalflags for each connection associated with a host address. Inboundpackets are compared against entries in the table and permitted throughthe gateway only if an appropriate connection exists to validate theirpassage. One problem with the NAT approach is that it only works forcommunication initiated by a host within the private network to a hoston the Internet that has a public IP address. The NAT approachspecifically will not work if the communication is initiated by a hostoutside of the private network and is directed to a host with a privateaddress in the private network.

[0019] Another problem is that mobile computing devices can be moved tonew and different networks, including private networks. These mobilecomputing devices may need to be reachable so that a host outside of theprivate network can initiate communication with the mobile computingdevice. However, in this case the problem is two-fold. First, there isno means for allowing the host outside of the private network toinitiate communication with the mobile computing device. Second, thehost outside the private network does not know the address for themobile computing device or the network that the mobile computing deviceis currently connected to.

SUMMARY OF THE INVENTION

[0020] The present invention, roughly described, pertains to a systemfor accessing an entity inside a private network. The system disclosedallows an entity outside of a private network to establish a connectionwith an entity inside the private network. In one embodiment, a firstentity inside the private network maintains a persistent connection witha second entity outside the private network. A port identification isassociated with the persistent connection. A third entity, which isoutside the private network, uses the port identification to initiatecommunication with the first entity in the private network. The firstand third entities then exchange communications outside of thepersistent connection.

[0021] In one embodiment, the third entity employs the portidentification to send a communication to the first entity, withoutusing a public address unique to the first entity. In this embodiment,the third entity sends the initial communication outside of thepersistent connection. The first and third entities continue to exchangecommunications outside of the persistent connection using the portidentification.

[0022] In an alternate embodiment, the third entity uses the portidentification and persistent connection to send a page communication tothe first entity via the second entity. The page communication serves asa request for establishing communication. The first entity responds byestablishing a connection with the third entity outside of thepersistent connection. A new port identification is associated with theconnection to the third entity. The first and third entities thenexchange communications outside of the persistent connection using thenew port identification.

[0023] The entities described above can be any device with the abilityto communicate on a network, including mobile and non-mobile computingdevices such as desktop computers, laptop computers, telephones,handheld computing devices, wireless devices, network appliances,servers, routers, gateways, etc. The entities can also be a softwareprocess, thread, etc.

[0024] The present invention can be accomplished using hardware,software, or a combination of both hardware and software. The softwareused for the present invention is stored on one or more processorreadable storage media including hard disk drives, CD-ROMs, DVDs,optical disks, floppy disks, tape drives, RAM, ROM or other suitablestorage devices. In alternative embodiments, some or all of the softwarecan be replaced by dedicated hardware including custom integratedcircuits, gate arrays, FPGAs, PLDs, and special purpose computers.

[0025] These and other objects and advantages of the present inventionwill appear more clearly from the following description in which thepreferred embodiment of the invention has been set forth in conjunctionwith the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0026]FIG. 1 depicts a block diagram of one embodiment of components ofthe present invention.

[0027]FIG. 2 is a flow chart describing one embodiment of a process forimplementing a portion of the present invention.

[0028]FIG. 3 depicts a UDP segment.

[0029]FIG. 4 depicts a header for a UDP segment.

[0030]FIG. 5 is a flow chart describing one embodiment of a process forregistering with a server.

[0031]FIG. 6 is a flow chart describing one embodiment of a process forenabling and exchanging communication with an entity in a privatenetwork.

[0032]FIG. 7 is a block diagram that explains one embodiment of aprocess for one entity initiating communication with another entity in aprivate network.

[0033]FIG. 8 is a block diagram that explains one embodiment of aprocess for an entity in a private network sending a message to anotherentity outside of the private network.

[0034]FIG. 9 is a flow chart describing another embodiment of a processfor enabling and exchanging communication with an entity in a privatenetwork.

[0035]FIG. 10 is a block diagram that explains one embodiment of aprocess for sending a message requesting an entity in a private networkto establish a connection with another entity outside of the privatenetwork.

[0036]FIG. 11 is a block diagram that explains another embodiment of aprocess for an entity in a private network to establish a connectionwith another entity outside of the private network.

[0037]FIG. 12 is a block diagram that explains one embodiment of anentity sending a message to another entity in a private network using anestablished connection between the entities.

[0038]FIG. 13 depicts a block diagram of another embodiment ofcomponents of the present invention.

[0039]FIG. 14 is a block diagram that explains one embodiment of aprocess for one entity in a private network initiating communicationwith another entity in another private network.

[0040]FIG. 15 is a block diagram that explains one embodiment of aprocess for an entity in a private network sending a message to anotherentity in another private network.

[0041]FIG. 16 is a block diagram that explains one embodiment of aprocess for sending a message requesting an entity in a private networkto establish a connection with another entity in another privatenetwork.

[0042]FIG. 17 is a block diagram that explains another embodiment of aprocess for an entity in a private network to establish a connectionwith another entity in another private network.

[0043]FIG. 18 is a block diagram that explains one embodiment of anentity in a private network sending a message to another entity inanother private network using an established connection between theentities.

[0044]FIG. 19 is a block diagram depicting exemplar components of acomputing system that can be used to implement the present invention.

DETAILED DESCRIPTION

[0045]FIG. 1 is a block diagram of one embodiment of the components ofthe present invention. FIG. 1 shows private network 10. Network 10 is aprivate network because entities on the network use private addresses.The components connected to private network 10 include NAT device 12,and entities 14, 16, and 18. The entities can be any device that cancommunicate on a network, including mobile and non-mobile computingdevices such as desktop computers, laptop computers, telephones,handheld computing devices, network appliances, servers, routers,gateways, wireless devices, etc. In one embodiment, each (or some) ofthe entities have a communication device (e.g. network interface), astorage device, I/O devices and one or more processors in communicationwith the above and programmed to implement the present invention. All orpart of the invention can include software stored on one or more storagedevices to program one or more processors. The entities can also be asoftware process, thread, etc. In one embodiment, NAT device 12 is acomputing device that is running Network Address Translation (NAT). NATdevice 12 is one example of a stateful edge switch that is designed toallow communication to be initiated in one direction. Other statefuledge switches can also be used with the present invention. FIG. 1 showsNAT device 12 connected to the Internet (or other network) so that theentities on private network 10 can communicate with other entities onthe Internet using NAT. Note that it is not necessary for NAT device 12to be a physical gateway on the edge of the network between privatenetwork 10 and the Internet. It is also possible that NAT device 12 canbe inside private network 10.

[0046]FIG. 1 shows entity 18 labeled as host A. Thus, host A is anentity in a private network. In one embodiment, host A is a mobilecomputing device that is connected to private network 10. When host Aconnects to private network 10, it is assigned a private address. Whenhost A wants to communicate outside of private network 10, NAT device 12allows host A to communicate using a public address assigned to NATdevice 12. In some embodiments, host A is a computing device that is notmobile. In other embodiments, there may be multiple subnets for NAT 12and host A can be on any of those subnets.

[0047]FIG. 1 also shows host B 34 and server 38 connected to theInternet. According to one embodiment of the present invention, host Aregisters with server 38 and sets up a persistent connection with server38 so that host A can be accessible to entities outside of privatenetwork 10. When host A establishes the persistent connection to theserver, there is a connection between host A and NAT DEVICE 12 and aconnection between NAT DEVICE 12 and server 38. NAT device 12 assigns aport number to the connection between NAT DEVICE 12 and server 38. Thisport number is used to translate between the private address for host Aand the public addresses used by NAT device 12. The port number servesas a port identification for the persistent connection. In alternateembodiments, port numbers can be replaced with other types of portidentification. In other embodiments, other identifiers can be used toidentify the persistent connection.

[0048] In one example, host B is a computer with a public IP address.Host B knows the domain name for host A; however, host B does not know apublic IP address for host A. According to the present invention, host Brequests that server 38 (or another entity) resolve a domain name forhost A. Server 38 responds to host B's request by returning the publicIP address for NAT device 12 and the port number assigned by NAT device12 to the persistent connection between NAT DEVICE 12 and server 38. Inone embodiment, host B creates a message for host A and sends themessage to the IP address and port number received from server 38. HostA and host B then continue to communicate outside of the persistentconnection using the port number.

[0049] In an alternate embodiment, host B creates a message for host Aand sends the message to server 38. Server 38 then forwards the messageto host A via the persistent connection between server 38 and host A. Inresponse to the communication, host A establishes a connection with hostB through NAT device 12. A new port number is associated with the NATdevice 12 to host B portion of the connection between hosts A and B.Hosts A and B then communicate outside of the persistent connectionusing the new port number.

[0050]FIG. 2 describes one embodiment of the steps taken to make host Aaccessible to entities outside of private network 10. In step 102, hostA connects to private network 10. In step 104, host A receives a privateaddress for communication on private network 10. In step 106, host Aregisters with server 38. In step 108, a persistent connection ismaintained between host A and server 38. One example of a suitablepersistent connection is a UDP (User Datagram Protocol) connection asdescribed below. Other types of persistent connections can be used, suchas TCP connections, other protocols, etc. In one embodiment, host Amaintains the persistent connection. In other embodiments, thepersistent connection is maintained by server 38, NAT device 12, acombination of server 38 and host A, or another entity. A UDP connectionwill normally have a timeout interval. In one embodiment, maintainingthe connection includes repeatedly sending UDP segments so that a newUDP segment is sent prior to the timeout interval completing.

[0051] UDP is a protocol that operates on the transport layer of theTCP/IP stack. UDP is described in RFC 768, which is incorporated hereinby reference. FIG. 3 depicts UDP segment 120, which includes header 122and data portion 124.

[0052]FIG. 4 depicts the details of header 122. Header 122 is 8 bytesand includes source port 130, destination port 132, UDP length 134, andchecksum 136. Source port 130 and destination port 132 identify the endpoints within the source and destination entities. UDP length 134indicates the length of header 122 and data portion 124. UDP checksum136 is provided for reliability purposes.

[0053]FIG. 5 is a flow chart describing the process of host Aregistering with server 38 (step 106 of FIG. 2). In step 150, host Acreates a UDP segment with one or more codes in the data portion. In oneembodiment of the present invention, a protocol can be designed whichincludes a set of one or more codes to be stored in the data portion ofUDP segments. These codes can indicate that a new connection isrequested, an existing connection should be terminated, move theconnection to port #, the domain name of the sender is <domain name>,the time out interval for the UDP connection is X, other messages, or acombination of the above. In one embodiment, the UDP segment(s) createdin step 150 includes codes that indicate that a new connection isrequested and identifies the domain name for host A. In one embodiment,the codes are sent in the data portion of the UDP segment.

[0054] In step 152, the UDP segment created in step 150 is sent to NATdevice 12. For example, the UDP segment is created listing a port numberfor host A as its source port and a well known port for UDP on server 38as the destination port. The UDP segment is placed within one or more IPpackets. The source address of the IP packets is the private address ofhost A. The destination address of the IP packets is the public IPaddress of server 38. The IP packets are first sent to NAT device 12. Instep 154, NAT device 12 receives the UDP segment and changes the sourceport number to a port number selected by NAT device 12 for thepersistent connection. The newly selected port number can be identifiedas Port T—the port number supporting the persistent connection tunnelbetween server 38 and host A. The changed UDP segment is placed withinone or more IP packets. The source address of the IP packets is a publicaddress associated with NAT device 12. NAT device 12 stores a datastructure that identifies Port T with the public address, and theprivate address for host A. The destination address of the IP packet isthe public IP address of server 38. The UDP segment is transmitted toserver 38. In step 156, the UDP segment is received by server 38. Instep 158, server 38 accesses the codes in the data portion of the UDPsegment and determines based on the codes that host A is requesting thata connection be set up between host A and server 38. In step 160, server38 selects a port number on server 38 for servicing the new connectionwith host A.

[0055] Server 38 maintains a table for all of its connections withentities inside private networks. Data structures other than a table canalso be used. Each connection has an entry in the table. Each entrystores the domain name of the entity in the private network, the publicIP address used for the entity (e.g. the address provided by the NATdevice), and the two port numbers (e.g. port number on server 38 andport number on NAT device 12) used for the connection. In oneembodiment, other data can be stored in a table entry, such as the timeout interval for the connection. In step 162, server 38 creates an entryin the table for the new connection.

[0056] In step 164, server 38 creates a UDP segment and sends it to hostA. This UDP segment includes the new port number selected in step 160 asthe source port number. The UDP segment may include codes in the dataportion indicating that the connection has been created and the time outinterval for the connection. The segment sent in step 164 is received byNAT device 12 in step 166, which translates and forwards the segment tohost A in step 168. In step 170, host A stores the port number selectedby server 38 (selected in step 160) and the time out interval.

[0057]FIG. 6 is a flowchart describing one implementation of a processthat is performed to establish and exchange communication between host Band host A. In one embodiment, the process illustrated by FIG. 6 can beemployed in embodiments where NAT device 12 is “friendly.” That is, NATdevice 12 does not check the source IP address in incoming packets toensure the source IP address is the same as the destination IP addressfor which the connection was established in the first place.

[0058] Host B knows the domain name for host A, but does not know anaddress for host A and does not know what network host A is connectedto. In step 302, host B requests resolution of host A's domain name. Inone embodiment, step 302 includes a request for domain name resolution.The request to resolve host A's domain name is received by server 38through the Internet or another network path. In one embodiment, server38 is the authoritative domain name server (“DNS”) for host A.

[0059] In step 304, server 38 responds to the request for the domainname resolution by finding the appropriate DNS record that correspondsto the domain name provided. In one embodiment, the DNS recordcorresponding to the domain name for host A identifies: (1) the IPaddress of NAT device 12, and (2) the port identification of thepersistent connection, which is the port number on NAT device 12 that isassociated with the connection between NAT device 12 and server 38 (e.g.Port T). In one embodiment, server 38 can obtain this addressinformation from the above-described table in server 38.

[0060] In step 306, server 38 sends host B the resolved address and portnumber (Port T) for the host A domain name. In the discussion above,host B is requesting resolution of the domain name. In otherembodiments, other types of names or identifiers can be resolved. Thatis, the present invention works in other spaces. In one embodiment,server 38 or another entity responds with a standard DNS record as theresolved address for host A's domain name and a second resolution orother server provides the port number. In other embodiments, server 38responds with a different set of information. For example, server 38 canrespond with an identification code for communicating with host A, inaddition to the IP address for NAT device 12 and the port number used byNAT device 12 for the persistent connection between host A and server38.

[0061] In step 308, host B creates a message for host A. This messagecan include codes to request communication, a standard message from anapplication, secure message, IPsec packet, shim, etc. or another type ofmessage. The message is inserted in the data portion of a UDP segment.In one embodiment, step 308 includes inserting one or more TCP segments,UDP segments, and/or IP packets into a UDP segment. In the header of theUDP segment, the destination port is set to Port T. That UDP segment ispackaged into one or more IP packets that have the IP address of NATdevice 12 as the destination IP address.

[0062] In step 310, the UDP segment is sent set to NAT device 12 outsideof the persistent connection with server 38. In step 312, NAT device 12translates the received message from host B, including one or morepackets encapsulating the message. In one embodiment, step 312 includeschanging the destination IP address to the private address for host A innetwork 10 and changing the port numbers in the UDP segment to reflectthe connection between NAT device 12 and host A. In step 314, thetranslated communication is sent from NAT device 12 to host A.

[0063] In step 316, host A and host B exchange communications—sendingcommunications back and forth between them. Messages from host B to hostA are transferred as above. Messages from host A to host B are sent in areverse manner. That is, the messages (in one embodiment) are insertedin one or more UDP segments which are first transmitted from host A toNAT device 12. At NAT device 12, the source port of the UDP segment ischanged to Port T and the source IP address is changed from the privateIP address for host A to the public IP address for NAT DEVICE 12. Aftertranslation, the UDP segment is sent to host B.

[0064]FIG. 7 provides an example that explains the process of host Bsending a message (the initial message or subsequent messages) to hostA. Host B creates UDP segment 366, which includes Port T as thedestination port and data retrieved from data store 360. UDP segment 366also includes a port identifier associated with host B (e.g. Port HB) inthe source port field. In one implementation, the data in UDP segment366 contains a message with code calling for host A to respond to thecommunication. As described above, the data portion of UDP segment 366may contain an encapsulated IP packet (or other message) for deliveringdata to host A. In alternate embodiments, transport layer protocolsother than UDP can be employed for segment 366. Host B encapsulates UDPsegment 366 in IP packet 362, which identifies the public IP address forNAT device 12 as the destination address and the public IP address forhost B as the source address. In other examples, UDP segment 366 can bespread across multiple IP packets. Host B sends IP packet 362 to NATdevice 12, which translates IP packet 362, as described above, into IPpacket 368 for delivery to host A—enabling host A to receive the messagefrom host B in UDP segment 366. IP packet 368 identifies the destinationIP (“PIP”) address as the private address used by host A in privatenetwork 10. After translation by NAT device 12, UPD segment 366 has thedestination port number changed from port T to a port number on host A(e.g. Port HA).

[0065]FIG. 8 is a block diagram illustrating one embodiment of a processfor host A sending a communication to host B (e.g. in step 316 of FIG.6). Host A creates a message for host B using a transport layerprotocol. One example is a data portion of UDP segment 402, containingdata retrieved from data store 400. In one embodiment, host A lists asource port number on host A for the connection between host A and NATdevice 12 (Port HA). Host A also lists Port HB as a destination portnumber. The data portion of UDP segment 402 may contain an encapsulatedIP packet for delivering data to host B. In alternate embodiments,transport layer protocols other than UDP can be employed.

[0066] Host A encapsulates UDP segment 402 in IP packet 406, identifyingthe private IP address of host A as the source address and the public IPaddress of host B as the destination address. In alternate embodiments,UDP segment 402 can be spread across multiple IP packets. Host A sendsUDP segment 402 to NAT device 12, which translates the packet. NATdevice 12 changes the source address in IP packet 404 to identify thepublic IP address for NAT device 12 and changes the source port numberin UDP segment 402 to port T.

[0067]FIG. 9 is a flowchart describing an alternate process that isperformed to establish and exchange communication between host B andhost A. FIGS. 10-12 are block diagrams illustrating one embodiment ofthe process steps described in FIG. 9. The process shown in FIGS. 9-12is employed in embodiments where NAT device 12 is “unfriendly.” That is,NAT device 12 checks the source IP address on incoming packets andrejects packets in which the source IP address is not the same as thedestination IP address for which the connection was established in thefirst place.

[0068] In FIG. 9, steps 302, 304, and 306 are the same as in FIG. 6,with host B requesting resolution of host A's domain name and receivingresolution from server 38. This provides host B with the public IPaddress for NAT device 12 and the port number (Port T) associated withthe persistent connection between host A and server 38. In step 440,host B creates a message for host A. In one embodiment, this messageincludes proprietary or predetermined codes that call for host A toestablish a connection with host B. Host B inserts the message in thedata portion of UDP segment 490 (FIG. 10). In one embodiment, step 440includes inserting one or more TCP segments, UDP segments, and/or IPpackets into UDP segment 490.

[0069] Host B sets the destination port number in the header of UDPsegment 490 to Port T and the source port number to Port HB. Host Bencapsulates UDP segment 490 into one or more IP packets, such as IPpacket 492 (FIG. 10). Host B sets the IP destination address in IPpacket 492 to the public IP address for server 38. The IP source addressin IP packet 492 is the public IP address for host B.

[0070] In step 442, host B sends UDP segment 490 to NAT device 12 usingthe persistent connection between server 38 and host A. That is, host Bsends IP packet 492, including UDP segment 490, to server 38. Server 38recognizes Port T as the port identification associated with thepersistent connection with host A. Server 38 then uses the persistentconnection to forward UDP segment 490 to NAT device 12. Server 38converts IP packet 492 into IP packet 494 by changing the IP destinationaddress to the public IP address for NAT device 12.

[0071] NAT device 12 translates IP packet 494 and forwards UDP segment490 to host A in IP packet 496, as described above with reference tosteps 312 and 314 in FIG. 6. In step 444, host A establishes aconnection with host B in response to UDP segment 490, outside of thepersistent connection with server 38. Host A creates a message for hostB using a transport layer protocol, such as UDP segment 520 (FIG. 11).Host A optionally loads data for the message from data store 400 (orother structure) into the data portion of UDP segment 520. Host Aincludes source port number Port HA and destination port number Port HBin segment 520. In alternate embodiments, host A may use a source portnumber other than Port HA. Host A then forwards UDP segment 520 to NATdevice 12 in IP packet 522, including the private IP address of host Aas the IP source address and the public IP address of host B as the IPdestination address. In alternate implementations, segment 490 can bespread across multiple IP packets. NAT device 12 changes the source portnumber in UDP segment 520 to a new port number, referred to here as PortA, to be associated with the connection between host B and host A. NATdevice 12 also changes the IP source address in IP packet 522 to be thepublic IP address of NAT device 12. NAT device 12 then forwards the newpacket to host B as IP packet 524, including UDP segment 520.

[0072] After host A establishes a connection with host B, hosts A and Bcontinue to exchange message communications in step 446 (FIG. 9). UDPmessages from host B to host A use destination port number A. Whileexchanging communications, host A operates the same as described abovewith reference to FIG. 11 for step 444. Host B sends messages to host Ain a reverse manner, as illustrated in FIG. 12. Host B creates UDPsegment 530, listing Port A as a destination port number, listing PortHB as the source port number, and optionally containing data retrievedfrom data store 360. Host B encapsulates UDP segment 530 in IP packet532, identifying NAT device 12 as the destination and host B as thesource. In alternate implementations, segment 530 is spread acrossmultiple IP packets. Host B sends IP packet 532 to NAT device 12, whichtranslates and forwards UDP segment 530 to host A. NAT device 12 changesthe destination address in IP packet 532 to identify host A as thedestination and forwards the packet as IP packet 534. NAT device 12 alsochanges the UDP segment destination port number to Port HA.

[0073]FIG. 13 depicts a block diagram describing another embodiment ofthe present invention. One difference between the embodiments of FIG. 13and FIG. 1 is that host B is behind a NAT device. For example, FIG. 13shows private network 540. Connected to private network 540 are NATdevice 542, entity 544, entity 546 and entity 548. Entity 544 is labeledas host B. In the embodiments shown in FIGS. 13-18, host B is an entitythat is provided with a private address—not a public IP address.Communications initiated by host B are provided with a public IP addressby NAT device 542 (NAT B) in accordance with Network AddressTranslation. FIG. 13 depicts NAT device 542 at the edge of privatenetwork 540; however, NAT device 542 need not be at the edge of thenetwork.

[0074] In the embodiment of FIG. 13, host B initiates communication withhost A according to the present invention. In one implementation, host B(entity 544) performs the steps that were described above in FIG. 6 fora friendly NAT application. In an alternate implementation, host B(entity 544) performs the steps that were described above in FIG. 9 foran unfriendly NAT application. NAT device 542 translates communicationsto and from host B so that host B can use a public IP address associatedwith NAT device 542.

[0075]FIG. 14 illustrates the steps of creating (step 308 of FIG. 6) andsending (step 310 of FIG. 6) a communication from host B to host A inthe network shown in FIG. 13 when NAT device 12 is friendly. FIG. 14differs from FIG. 7 by providing for the inclusion of NAT device 542.Host B creates a message to communicate to host A such as the dataportion of UDP segment 566. UDP segment 566 lists Port T as thedestination port number lists Port HB as the source port number, andoptionally contains data retrieved from data store 360. As describedabove, host B obtains address resolution for host A from server 38. Infurther embodiments, NAT device 542 sets a time out interval—requiringhost A to respond to UDP segment 566 within a specified period of time.In one implementation, the data in UDP segment 566 contains code callingfor host A to respond to the communication. In alternate embodiments,transport layer protocols other than UDP can be employed.

[0076] Host B encapsulates UDP segment 566 in IP packet 560, whichidentifies NAT device 12 as the destination and host B as the source. Inalternate implementations, segment 566 is spread across multiple IPpackets. Host B sends IP packet 560 to NAT device 542. NAT device 542assigns Port B as the source port number in the header of UDP segment566. NAT device 542 forwards UDP segment 566 to NAT device 12 in IPpacket 562, which has the public IP address for NAT device 542 as asource address and the public IP address for NAT device 12 as adestination address. NAT device 12 changes the destination address in IPpacket 562 to the public IP address for host A and changes the portnumbers to reflect the connection between host A and NAT device 12. NATdevice 12 forwards the translated packet to host A.

[0077]FIG. 15 is a block diagram describing one embodiment of a processfor host A sending a communication to host B when NAT device 12 isfriendly (step 316 of FIG. 6). FIG. 15 differs from FIG. 8 by providingfor the inclusion of NAT device 542. Host A creates a message tocommunicate to host B using a transport layer protocol, such as UDPsegment 702. UDP segment 702 lists Port B as the destination portnumber, lists Port HA as the source port number, and optionally containsdata retrieved from data store 400. In alternate embodiments, transportlayer protocols other than UDP can be employed.

[0078] Host A encapsulates at least a portion of UDP segment 702 in IPpacket 704. In further embodiments, segment 702 is spread acrossmultiple IP packets. IP packet 704 identifies host A as the source andNAT device 542 as the destination. Host A sends IP packet 704 to NATdevice 12, which inserts Port T as the source port number for UDPsegment 702. NAT device 12 forwards UDP segment 702 to NAT device 542 inIP packet 706, which lists NAT device 12 as a source and NAT device 542as a destination. NAT device 542 forwards UDP segment 702 to host B inIP packet 708, which has NAT device 12 as a source and host B as adestination. NAT device 542 changes the destination port number to PortHB.

[0079]FIG. 16 is a block diagram showing one embodiment of a process forrequesting host A to establish a connection with host B in the networkshown in FIG. 13 when NAT device 12 is unfriendly. Host B creates a UDPsegment (step 440 at FIG. 9) and sends the UDP segment to host A (step442 at FIG. 9). FIG. 16 differs from FIG. 10 by providing for theinclusion of NAT device 542.

[0080] Host B creates a message to communicate to host A, such as thedata portion of UDP segment 720, listing Port T as the destination portnumber in the UDP segment header and Port HB as the source port number.UDP segment 720 may also contain data retrieved from data store 360,including code calling for host A to establish a connection with host B.In alternate embodiments, transport layer protocols other than UDP canbe employed.

[0081] Host B encapsulates UDP segment 720 in IP packet 722, identifyingserver 38 as the destination and host B as the source. In alternateembodiments, segment 720 is spread across multiple IP packets. Host Bforwards packet 722 to server 38 through NAT device 542 as packet 724.NAT device 542 converts packet 722 into packet 724 by changing thepacket's source address to identify the public IP address of NAT device542. NAT device 542 also inserts Port B as the source port number in theheader of UDP segment 720. Server 38 sends UDP segment 720 to NAT device12 in IP packet 726 using the persistent connection with host A. IPpacket 726 identifies server 38 as the source and NAT device 12 as thedestination. NAT device 12 forwards UDP segment 720 to host A in IPpacket 728. NAT device 12 changes the destination address in IP packet726 to the private IP address for host A and forwards the packet to hostA as IP packet 728. NAT device 12 also changes the destination portnumber in segment 720 to Port HA.

[0082]FIG. 17 is a block diagram explaining one embodiment of a processfor host A establishing a connection with host B (step 444 of FIG. 13)in the network shown in FIG. 13 when NAT device 12 is unfriendly. Host Amay establish a connection in response to receiving a request from hostB, as illustrated in FIG. 16. Host A creates a message to communicate tohost B using a transport layer protocol, such as UDP segment 740—listingPort B as the destination port number, listing Port HA as the sourceport number, and optionally containing data retrieved from data store400. In alternate embodiments, transport layer protocols other than UDPcan be employed.

[0083] Host A encapsulates UDP segment 740 in IP packet 742, identifyinghost A as the source and NAT device 542 as the destination. Host A sendsIP packet 742 to NAT device 12, which forwards UDP segment 740 to NATdevice 542 in IP packet 744. NAT device 12 inserts a new source portnumber, Port A, in the header of UDP segment 740. In some embodiments,NAT device 12 also sets a timeout interval for the new port number. NATdevice 12 changes the source address in IP packet 742 to identify NATdevice 12 and forwards the packet as IP packet 744. NAT device 542forwards UDP segment 740 to host B in IP packet 746—NAT device 542changes the destination address in packet 744 to the private IP addressfor host B, changes the destination port number in segment 740 to PortHB, and forwards the packet as IP packet 746.

[0084]FIG. 18 is a block diagram that explains one embodiment of host Bexchanging message communications (step 446 of FIG. 13) for the networkshown in FIG. 13 when NAT device 12 is unfriendly. Host B creates amessage to communicate to host A using a transport layer protocol. Oneexample is UDP segment 760, listing Port A as the destination portnumber, listing Port HB as the destination port number, and optionallycontaining data retrieved from data store 360. Host B encapsulates UDPsegment 760 in IP packet 762, identifying NAT device A as thedestination and host B as the source. In alternate implementations,segment 760 is spread across multiple IP packets. Host B sends UDPsegment 760 to NAT device 542, which forwards UDP segment 760 to NATdevice 12 outside of the persistent connection between host A and server38. NAT device 542 lists Port B as the source port number in the headerof UDP segment 760. NAT device 542 also encapsulates UDP segment 760 inIP packet 764 with the public IP address for NAT device 542 as thesource address and the public IP address for NAT device 12 as thedestination address. NAT device 12 forwards UDP segment 760 to host A inIP packet 766. NAT device 12 changes the destination address in IPpacket 764 to identify host A as the destination and forwards the packetas IP packet 766. NAT device 12 also changes the destination port numberin segment 760 to be Port HA.

[0085] Note that in some embodiments, all or part of the presentinvention can be implemented in a NAT device, while other embodimentsimplement the present invention separate from a NAT device.

[0086]FIG. 19 illustrates a high level block diagram of a computersystem that can be used for the components of the present invention,including host A, host B, server 38, NAT device 542, and NAT device 12,as well a other entities mentioned above. The computer system in FIG. 19includes processor unit 800 and main memory 802. Processor unit 800 maycontain a single microprocessor, or may contain a plurality ofmicroprocessors for configuring the computer system as a multi-processorsystem. Main memory 802 stores, in part, instructions and data forexecution by processor unit 800. If the system of the present inventionis wholly or partially implemented in software, main memory 802 canstore the executable code when in operation. Main memory 802 may includebanks of dynamic random access memory (DRAM) as well as high speed cachememory.

[0087] The system of FIG. 19 further includes mass storage device 804,peripheral device(s) 806, user input device(s) 810, portable storagemedium drive(s) 812, graphics subsystem 814, and output display 816. Forpurposes of simplicity, the components shown in FIG. 19 are depicted asbeing connected via a single bus 818. However, the components may beconnected through one or more data transport means. For example,processor unit 800 and main memory 802 may be connected via a localmicroprocessor bus, and the mass storage device 804, peripheraldevice(s) 806, portable storage medium drive(s) 812, and graphicssubsystem 814 may be connected via one or more input/output (I/O) buses.Mass storage device 804, which may be implemented with a magnetic diskdrive or an optical disk drive, is a non-volatile storage device forstoring data and instructions for use by processor unit 800. In oneembodiment, mass storage device 804 stores the system software forimplementing the present invention for purposes of loading to mainmemory 802.

[0088] Portable storage medium drive 812 operates in conjunction with aportable non-volatile storage medium, such as a floppy disk, to inputand output data and code to and from the computer system of FIG. 19. Inone embodiment, the system software for implementing the presentinvention is stored on such a portable medium, and is input to thecomputer system via the portable storage medium drive 812. Peripheraldevice(s) 806 may include any type of computer support device, such asan input/output (I/O) interface, to add additional functionality to thecomputer system. For example, peripheral device(s) 806 may include anetwork interface for connecting the computer system to a network, amodem, a router, etc.

[0089] User input device(s) 810 provide a portion of a user interface.User input device(s) 810 may include an alpha-numeric keypad forinputting alpha-numeric and other information, or a pointing device,such as a mouse, a trackball, stylus, or cursor direction keys. In orderto display textual and graphical information, the computer system ofFIG. 19 includes graphics subsystem 814 and output display 816. Outputdisplay 816 may include a cathode ray tube (CRT) display, liquid crystaldisplay (LCD) or other suitable display device. Graphics subsystem 814receives textual and graphical information, and processes theinformation for output to display 816. Additionally, the system of FIG.28 includes output devices 808. Examples of suitable output devicesinclude speakers, printers, network interfaces, monitors, etc.

[0090] The components contained in the computer system of FIG. 19 arethose typically found in computer systems suitable for use with thepresent invention, and are intended to represent a broad category ofsuch computer components that are well known in the art. Thus, thecomputer system of FIG. 19 can be a personal computer, handheldcomputing device, Internet-enabled telephone, workstation, server,minicomputer, mainframe computer, or any other computing device. Thecomputer can also include different bus configurations, networkedplatforms, multi-processor platforms, etc. Various operating systems canbe used including Unix, Linux, Windows, Macintosh OS, Palm OS, and othersuitable operating systems.

[0091] The foregoing detailed description of the invention has beenpresented for purposes of illustration and description. It is notintended to be exhaustive or to limit the invention to the precise formdisclosed. Many modifications and variations are possible in light ofthe above teaching. The described embodiments were chosen in order tobest explain the principles of the invention and its practicalapplication to thereby enable others skilled in the art to best utilizethe invention in various embodiments and with various modifications asare suited to the particular use contemplated. It is intended that thescope of the invention be defined by the claims appended hereto.

We claim:
 1. A method for communicating, comprising the steps of:establishing a persistent connection between a first entity in a privatenetwork and a second entity outside of said private network; initiatingcommunication with said first entity, said communication is initiated bya third entity from outside said private network using an identificationassociated with said persistent connection; and exchanging subsequentcommunication between said first entity and said third entity outside ofsaid persistent connection.
 2. A method for communicating according toclaim 1, wherein said step of initiating includes the step of: sending amessage from said third entity to said first entity, wherein said thirdentity uses said identification in sending said message and said thirdentity does not use a public address unique to said first entity insending said message.
 3. A method according to claim 2, wherein saidmessage is included in a UDP segment having a header listing saididentification as a destination port number.
 4. A method according toclaim 1, wherein said method further includes the step of: said firstentity establishing a connection with said third entity in response tosaid step of initiating.
 5. A method according to claim 4, wherein saidstep of initiating includes the steps of: forwarding a message from saidthird entity to said second entity; and forwarding said message fromsaid second entity to said first entity using said persistentconnection.
 6. A method according to claim 5, wherein said step offorwarding said message from said second entity to said first entityusing said persistent connection includes the steps of: forwarding saidmessage from said second entity to a NAT device in said private network;and forwarding said message from said NAT device to said first entity.7. A method according to claim 6, wherein said third entity is inside asecond private network and said step of forwarding said message fromsaid third entity to said second entity includes the steps of:forwarding said message from said third entity to a second NAT device insaid second private network; and forwarding said message from saidsecond NAT device to said second entity.
 8. A method according to claim4, wherein said step of said first entity establishing includes the stepof: sending a second message to said third entity from said first entityoutside of said persistent connection, wherein a new identification isassociated with said connection with said third entity.
 9. A methodaccording to claim 8, wherein said step of sending said second messageincludes the steps of: forwarding said second message from said firstentity to a NAT device in said private network; and forwarding saidsecond message from said NAT device to said third entity.
 10. A methodaccording to claim 9, wherein said third entity is inside a secondprivate network and said step of forwarding said second message fromsaid NAT device to said third entity includes the steps of: forwardingsaid second message from said NAT device to a second NAT device in saidsecond private network; and forwarding said second message from saidsecond NAT device to said third entity.
 11. A method according to claim8, wherein said second message is included in a UDP segment that arrivesat said third entity having a header listing said new identification asa source port number.
 12. A method according to claim 8, wherein saidstep of exchanging includes the step of: sending a third message to saidfirst entity from said third entity outside of said persistentconnection using said new identification.
 13. A method according toclaim 12, wherein said step of sending said third message includes thesteps of: forwarding said third message from said third entity to a NATdevice in said private network; and forwarding said third message fromsaid NAT device to said first entity.
 14. A method according to claim13, wherein said third entity is inside a second private network andsaid step of forwarding said third message from said third entity tosaid NAT device in said private network includes the steps of:forwarding said third message from said third entity to a second NATdevice in said second private network; and forwarding said third messagefrom said second NAT device to said NAT device.
 15. A method accordingto claim 12, wherein said third message is included in a UDP segmenthaving a header listing said new identification as a destination portnumber.
 16. A method according to claim 1, wherein said step ofinitiating is performed outside of said persistent connection.
 17. Amethod according to claim 16, wherein said step of initiating includesthe steps of: forwarding a message from said third entity to a NATdevice in said private network using said identification; and forwardingsaid message from said NAT device to said first entity.
 18. A methodaccording to claim 17, wherein said third entity is inside a secondprivate network and said step of forwarding said message from said thirdentity to said NAT device in said private network includes the steps of:forwarding said message from said third entity to a second NAT device insaid second private network; and forwarding said message from saidsecond NAT device to said NAT device.
 19. A method according to claim16, wherein said step of exchanging includes the steps of: sending asecond message to said third entity from said first entity outside ofsaid persistent connection; and sending a third message to said firstentity from said third entity outside of said persistent connectionusing said identification.
 20. A method according to claim 19, whereinsaid second message is included in a UDP segment that arrives at saidthird entity having a header listing said port identification as asource port number and said third message is included in a UDP segmenthaving a header listing said identification as a destination portnumber.
 21. One or more processor readable storage devices havingprocessor readable code embodied on said one or more processor readablestorage devices, said processor readable code for programming one ormore processors to perform a method for communicating, said methodcomprising the steps of: establishing a persistent connection between afirst entity in a private network and a second entity outside of saidprivate network; initiating communication with said first entity, saidcommunication is initiated by a third entity from outside said privatenetwork using an identification associated with said persistentconnection; and exchanging subsequent communication between said firstentity and said third entity outside of said persistent connection. 22.One or more processor readable storage devices according to claim 21,wherein said step of initiating includes the step of: sending a messagefrom said third entity to said first entity, wherein said third entityuses said identification in sending said message and said third entitydoes not use a public address unique to said first entity in sendingsaid message.
 23. One or more processor readable storage devicesaccording to claim 22, wherein said message is included in a UDP segmenthaving a header listing said identification as a destination portnumber.
 24. One or more processor readable storage devices according toclaim 21, wherein said method further includes the step of: said firstentity establishing a connection with said third entity in response tosaid step of initiating.
 25. One or more processor readable storagedevices according to claim 24, wherein said step of initiating includesthe steps of: forwarding a message from said third entity to said secondentity; and forwarding said message from said second entity to saidfirst entity using said persistent connection.
 26. One or more processorreadable storage devices according to claim 25, wherein said step offorwarding said message from said second entity to said first entityusing said persistent connection includes the steps of: forwarding saidmessage from said second entity to a NAT device in said private network;and forwarding said message from said NAT device to said first entity.27. One or more processor readable storage devices according to claim25, wherein said step of said first entity establishing includes thestep of: sending a second message to said third entity from said firstentity outside of said persistent connection, wherein a newidentification is associated with said connection with said thirdentity.
 28. One or more processor readable storage devices according toclaim 27, wherein said step of sending said second message includes thesteps of: forwarding said second message from said first entity to a NATdevice in said private network; and forwarding said second message fromsaid NAT device to said third entity.
 29. One or more processor readablestorage devices according to claim 27, wherein said second message isincluded in a UDP segment that arrives at said third entity having aheader listing said new identification as a source port number.
 30. Oneor more processor readable storage devices according to claim 27,wherein said step of exchanging includes the step of: sending a thirdmessage to said first entity from said third entity outside of saidpersistent connection using said new identification.
 31. One or moreprocessor readable storage devices according to claim 30, wherein saidstep of sending said third message includes the steps of: forwardingsaid third message from said third entity to a NAT device in saidprivate network; and forwarding said third message from said NAT deviceto said first entity.
 32. One or more processor readable storage devicesaccording to claim 30, wherein said third message is included in a UDPsegment having a header listing said new identification as a destinationport number.
 33. One or more processor readable storage devicesaccording to claim 21, wherein said step of initiating is performedoutside of said persistent connection.
 34. One or more processorreadable storage devices according to claim 33, wherein said step ofinitiating includes the steps of: forwarding a message from said thirdentity to a NAT device in said private network using saididentification; and forwarding said message from said NAT device to saidfirst entity.
 35. One or more processor readable storage devicesaccording to claim 33, wherein said step of exchanging includes thesteps of: sending a second message to said third entity from said firstentity outside of said persistent connection; and sending a thirdmessage to said first entity from said third entity outside of saidpersistent connection using said identification.
 36. One or moreprocessor readable storage devices according to claim 35, wherein saidsecond message is included in a UDP segment that arrives at said thirdentity having a header listing said identification as a source portnumber and said third message is included in a UDP segment having aheader listing said identification as a destination port number.
 37. Anapparatus, comprising: a communication interface; one or more storagedevices; and one or more processors in communication with said one ormore storage devices and said communication interface, said one or moreprocessors programmed to perform a method for communicating, said methodcomprising the steps of: establishing a persistent connection between afirst entity in a private network and a second entity outside of saidprivate network; initiating communication with said first entity, saidcommunication is initiated by a third entity from outside said privatenetwork using an identification associated with said persistentconnection; and exchanging subsequent communication between said firstentity and said third entity outside of said persistent connection. 38.An apparatus according to claim 37, wherein said step of initiatingincludes the step of: sending a message from said third entity to saidfirst entity, wherein said third entity uses said identification insending said message and said third entity does not use a public addressunique to said first entity in sending said message.
 39. An apparatusaccording to claim 38, wherein said message is included in a UDP segmenthaving a header listing said identification as a destination portnumber.
 40. An apparatus according to claim 37, wherein said methodfurther includes the step of: said first entity establishing aconnection with said third entity in response to said step ofinitiating.
 41. An apparatus according to claim 40, wherein said step ofinitiating includes the steps of: forwarding a message from said thirdentity to said second entity; and forwarding said message from saidsecond entity to said first entity using said persistent connection. 42.An apparatus according to claim 40, wherein said step of said firstentity establishing includes the step of: sending a second message tosaid third entity from said first entity outside of said persistentconnection, wherein a new identification associated with said connectionwith said third entity.
 43. An apparatus according to claim 42, whereinsaid step of exchanging includes the step of: sending a third message tosaid first entity from said third entity outside of said persistentconnection using said new identification.
 44. An apparatus according toclaim 43, wherein said third message is included in a UDP segment havinga header listing said new identification as a destination port number.45. An apparatus according to claim 37, wherein said step of initiatingis performed outside of said persistent connection.
 46. An apparatusaccording to claim 45, wherein said step of exchanging includes thesteps of: sending a second message to said third entity from said firstentity outside of said persistent connection; and sending a thirdmessage to said first entity from said third entity outside of saidpersistent connection using said identification.
 47. A method forcommunicating, comprising the steps of: receiving an identificationassociated with a persistent connection between a first entity in aprivate network and a second entity outside of said private network;initiating communication with said first entity, said communication isinitiated from outside said private network using said identification;and sending, from outside said private network, one or more messagestoward said first entity, said one more messages transmitted outside ofsaid persistent connection.
 48. A method according to claim 47, whereinsaid step of initiating includes the step of: sending a message to saidfirst entity in said private network from outside of said privatenetwork, using said identification in sending said message and not usinga public address unique to said first entity in sending said message.49. A method according to claim 48, wherein said message is forwarded tosaid first entity via said persistent connection and said step ofsending said message includes the step of: forwarding said message tosaid second entity.
 50. A method according to claim 47, wherein saidmethod further includes the step of: receiving a second message fromsaid first entity outside of said persistent connection, after said stepof initiating communication.
 51. A method according to claim 50, whereinsaid second message establishes a connection associated with a newidentification.
 52. A method according to claim 51, wherein said step ofsending, from outside said private network, one or more messagesincludes the step of: sending a third message to said first entityoutside of said persistent connection using said new identification. 53.One or more processor readable storage devices having processor readablecode embodied on said one or more processor readable storage devices,said processor readable code for programming one or more processors toperform a method for communicating, said method comprising the steps of:receiving an identification associated with a persistent connectionbetween a first entity in a private network and a second entity outsideof said private network; initiating communication with said firstentity, said communication is initiated from outside said privatenetwork using said identification; and sending, from outside saidprivate network, one or more messages toward said first entity, said onemore messages transmitted outside of said persistent connection.
 54. Oneor more processor readable storage devices according to claim 53,wherein said step of initiating includes the step of: sending a messageto said first entity in said private network from outside of saidprivate network, using said identification in sending said message andnot using a public address unique to said first entity in sending saidmessage.
 55. One or more processor readable storage devices according toclaim 54, wherein said message is forwarded to said first entity viasaid persistent connection and said step of sending said messageincludes the step of: forwarding said message to said second entity. 56.One or more processor readable storage devices according to claim 53,wherein said method further includes the step of: receiving a secondmessage from said first entity outside of said persistent connection,after said step of initiating communication.
 57. One or more processorreadable storage devices according to claim 56, wherein said secondmessage establishes a connection associated with a new identification,and wherein said step of sending, from outside said private network, oneor more messages includes the step of: sending a third message to saidfirst entity outside of said persistent connection using said newidentification.
 58. An apparatus, comprising: a communication interface;one or more storage devices; and one or more processors in communicationwith said one or more storage devices and said communication interface,said one or more processors programmed to perform a method forcommunicating, said method comprising the steps of: receiving anidentification associated with a persistent connection between a firstentity in a private network and a second entity outside of said privatenetwork; initiating communication with said first entity, saidcommunication is initiated from outside said private network using saididentification; and sending, from outside said private network, one ormore messages toward said first entity, said one more messagestransmitted outside of said persistent connection.
 59. An apparatusaccording to claim 58, wherein said step of initiating includes the stepof: sending a message to said first entity in said private network fromoutside of said private network, using said identification in sendingsaid message and not using a public address unique to said first entityin sending said message.
 60. An apparatus according to claim 59, whereinsaid message is forwarded to said first entity via said persistentconnection and said step of sending said message includes the step of:forwarding said message to said second entity.
 61. An apparatusaccording to claim 58, wherein said method further includes the step of:receiving a second message from said first entity outside of saidpersistent connection, after said step of initiating communication. 62.An apparatus according to claim 61, wherein said second messageestablishes a connection associated with a new identification, andwherein said step of sending, from outside said private network, one ormore messages includes the step of: sending a third message to saidfirst entity outside of said persistent connection using said newidentification.
 63. A method for communicating, comprising the steps of:establishing a persistent connection between a first entity in a privatenetwork and a second entity outside of said private network; receivingan initial communication at said first entity from a third entity usingan identification associated with said persistent connection, said thirdentity is outside said private network; and sending a subsequentcommunication from said first entity back toward said third entity, saidcommunication does not travel through said persistent connection to saidsecond entity.
 64. A method according to claim 63, wherein said initialcommunication is received by said first entity via said persistentconnection.
 65. A method according to claim 64, wherein said subsequentcommunication establishes a connection with said third entity and a newidentification is associated with said connection with said thirdentity.
 66. A method according to claim 65, wherein said method furtherincludes the step of: receiving a third communication from said thirdentity outside of said persistent connection, wherein said thirdcommunication uses said new identification.
 67. A method according toclaim 63, wherein said initial communication is received by said firstentity outside of said persistent connection.
 68. One or more processorreadable storage devices having processor readable code embodied on saidone or more processor readable storage devices, said processor readablecode for programming one or more processors to perform a method forcommunicating, said method comprising the steps of: establishing apersistent connection between a first entity in a private network and asecond entity outside of said private network; receiving an initialcommunication at said first entity from a third entity using anidentification associated with said persistent connection, said thirdentity is outside said private network; and sending a subsequentcommunication from said first entity back toward said third entity, saidcommunication does not travel through said persistent connection to saidsecond entity.
 69. One or more processor readable storage devicesaccording to claim 68, wherein said initial communication is received bysaid first entity via said persistent connection.
 70. One or moreprocessor readable storage devices according to claim 69, wherein saidsubsequent communication establishes a connection with said third entityand a new identification is associated with said connection with saidthird entity.
 71. One or more processor readable storage devicesaccording to claim 70, wherein said method further includes the step of:receiving a third communication from said third entity outside of saidpersistent connection, wherein said third communication uses said newidentification.
 72. One or more processor readable storage devicesaccording to claim 68, wherein said initial communication is received bysaid first entity outside of said persistent connection.
 73. Anapparatus, comprising: a communication interface; one or more storagedevices; and one or more processors in communication with said one ormore storage devices and said communication interface, said one or moreprocessors programmed to perform a method for communicating, said methodcomprising the steps of: establishing a persistent connection between afirst entity in a private network and a second entity outside of saidprivate network; receiving an initial communication at said first entityfrom a third entity using an identification associated with saidpersistent connection, said third entity is outside said privatenetwork; and sending a subsequent communication from said first entityback toward said third entity, said communication does not travelthrough said persistent connection to said second entity.
 74. Anapparatus according to claim 73, wherein said initial communication isreceived by said first entity via said persistent connection.
 75. Anapparatus according to claim 74, wherein said subsequent communicationestablishes a connection with said third entity and a new identificationis associated with said connection with said third entity.
 76. Anapparatus according to claim 75, wherein said method further includesthe step of: receiving a third communication from said third entityoutside of said persistent connection, wherein said third communicationuses said new identification.
 77. An apparatus according to claim 73,wherein said initial communication is received by said first entityoutside of said persistent connection.